Sendmail Installation and Operation Guide
SMM:08-33
The daemon usually runs as root, unless other measures are taken. At the point where
sendmail is about to exec (2) a mailer, it checks to see if the userid is zero (root); if so, it resets
the userid and groupid to a default (set by the U= equate in the mailer line; if that is not set, the
DefaultUser
option is used). This can be overridden by setting the S flag to the mailer for mail-
ers that are trusted and must be called as root. However, this will cause mail processing to be
accounted (using sa (8)) to root rather than to the user sending the mail.
A middle ground is to set the RunAsUser option. This causes sendmail to become the
indicated user as soon as it has done the startup that requires root privileges (primarily, opening
the
SMTP
socket). If you use RunAsUser, the queue directory (normally /var/spool/mqueue)
should be owned by that user, and all files and databases (including user .forward files, alias
files, :include: files, and external databases) must be readable by that user. Also, since sendmail
will not be able to change its uid, delivery to programs or files will be marked as unsafe, e.g.,
undeliverable, in .forward, aliases, and :include: files. Administrators can override this by set-
ting the DontBlameSendmail option to the setting NonRootSafeAddr. RunAsUser is proba-
bly best suited for firewall configurations that don't hav e regular user logins. If the option is
used on a system which performs local delivery, then the local delivery agent must have the
proper permissions (i.e., usually set-user-ID root) since it will be invoked by the RunAsUser,
not by root.
4.9.2. Turning off security checks
Sendmail is very particular about the modes of files that it reads or writes. For example,
by default it will refuse to read most files that are group writable on the grounds that they might
have been tampered with by someone other than the owner; it will even refuse to read files in
group writable directories. Also, sendmail will refuse to create a new aliases database in an
unsafe directory. You can get around this by manually creating the database file as a trusted user
ahead of time and then rebuilding the aliases database with newaliases.
If you are quite sure that your configuration is safe and you want sendmail to avoid these
security checks, you can turn off certain checks using the DontBlameSendmail option. This
option takes one or more names that disable checks. In the descriptions that follow, "unsafe
directory" means a directory that is writable by anyone other than the owner. The values are:
Safe No special
handling.
AssumeSafeChown
Assume that the chown system call is restricted to root. Since some versions of UNIX
permit regular users to give away their files to other users on some filesystems, send-
mail often cannot assume that a given file was created by the owner, particularly when
it is in a writable directory. You can set this flag if you know that file giveaw ay is
restricted on your system.
ClassFileInUnsafeDirPath
When reading class files (using the F line in the configuration file), allow files that are
in unsafe directories.
DontWarnForwardFileInUnsafeDirPath
Prevent logging of unsafe directory path warnings for non-existent forward files.
ErrorHeaderInUnsafeDirPath
Allow the file named in the ErrorHeader option to be in an unsafe directory.
FileDeliveryToHardLink
Allow delivery to files that are hard links.
FileDeliveryToSymLink
Allow delivery to files that are symbolic links.